Fix setting branch protection failure in GHA

This is necessary to resolve the problem of GitHub treating the `skipped` `check` job result as an acceptable outcome and merging broken Dependabot PRs with auto-merge. For example: #6330. Inspired by: pyca/cryptography#6512 (comment) PR #6369
aio-libs · Dec 4, 2021 · 13b6b4d · 13b6b4d
1 parent c2762a7
commit 13b6b4d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -183,16 +183,18 @@ jobs:
         fail_ci_if_error: false
 
   check:  # This job does nothing and is only used for the branch protection
+    if: always()
+
     needs:
     - test
 
     runs-on: ubuntu-latest
 
     steps:
-      - name: Report success of the test matrix
-        run: >-
-          print("All's good")
-        shell: python
+    - name: Decide whether the needed jobs succeeded or failed
+      uses: re-actors/alls-green@release/v1
+      with:
+        jobs: ${{ toJSON(needs) }}
 
   pre-deploy:
     name: Pre-Deploy

diff --git a/CHANGES/6369.misc b/CHANGES/6369.misc
@@ -0,0 +1,3 @@
+Fixed the CI check used in the branch protection to gate merging PR, now
+broken pull requests from ``Dependabot`` and others are not auto-merged
+silently anymore -- :user:`webknjaz`.